Aetna files $17 million settlement over low-tech privacy breach

Doing it wrong the old-fashioned way

Nowadays when we hear of a data breach, we think of hackers getting into a database and releasing private information, or a company posting customer information on their website without proper security measures in place. However, not all data outings involve hacking or IT incompetence. Sometimes information leaks come in a low-tech package.

Last week Aetna agreed to pay a $17 million settlement for compromising thousands of HIV patients’ medical information. The cause of the data leak was the over-sized envelope window used to send out HIV medication notification letters to clients in 23 states.

Back on July 28, 2017, the health insurance giant sent out nearly 12,000 letters to customers who had filled prescriptions for HIV medications. Rather than using an in-house mailing department, Aetna outsourced the task.

The outside vendor chose to send the letters in envelopes with large, clear windows to display the patient’s address. Unfortunately, the windows were so large that they also revealed personal health information (PHI) including the HIV diagnosis.

The AIDS Law Project of Pennsylvania and the Legal Action Center immediately issued a demand letter to halt the mailings. In the meantime, Aetna had set up a relief effort to those affected. However, the two groups still filed a class-action lawsuit in United States District Court for the Eastern District of Pennsylvania on behalf of the 11,875 affected clients. Aetna promptly settled out of court for $17,161,200 and issued a statement via NPR.

“Through our outreach efforts, immediate relief program and this settlement we have worked to address the potential impact to members following this unfortunate incident. In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”

The agreement sets aside $12 million to award $500 to those affected by the breach. Those who suffered additional financial and emotional distress can file for and claim up to $20,000 from the fund. There is also another group of about 1,600 who will receive $75 for having their PHI exposed to the mail vendor and Aetna’s legal counsel. The remainder of the settlement will go towards lawyer fees and legal expenses.

The settlement is still pending approval from the court, but that is just a formality.